<!DOCTYPE html>
<html lang="en-US">
<head>
	<title>vx-underground</title>
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<meta charset="utf-8" />
	<link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
	<link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
	<link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
	<link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
	<link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
	<link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
	<link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
	<link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
	<link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
	<link rel="icon" type="image/png" sizes="192x192" href="/android-icon-192x192.png">
	<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">
	<link rel="icon" type="image/png" sizes="96x96" href="/favicon-96x96.png">
	<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">
	<link rel="manifest" href="/manifest.json">
<style>
* {
  box-sizing: border-box;
}

body {
  font-family: Arial;
  color: #fff;
  padding: 10px;
  background: #000;
}

.header {
  color: #000;
  padding: 30px;
  text-align: center;
  background-image: url('headerbg.PNG');
  background-repeat: no-repeat;
  background-position: center;
  background-color: black;
}

.header h1 {
  font-size: 50px;
}

.topnav {
  overflow: hidden;
  background-color: #000;
}

.topnav a {
  float: left;
  display: block;
  color: #fff;
  text-align: center;
  padding: 14px 16px;
  text-decoration: none;
}

.topnav a:hover {
  background-color: #ddd;
  color: black;
}

.leftcolumn {   
  float: left;
  width: 75%;
}

.rightcolumn {
  float: left;
  width: 25%;
  background-color: #000;
  padding-left: 20px;
}

.fakeimg {
  background-color: #aaa;
  width: 100%;
  padding: 20px;
}

.card {
  color: #000;
  background-color: #aaa;
  padding: 20px;
  margin-top: 20px;
}

.row:after {
  content: "";
  display: table;
  clear: both;
}

@media screen and (max-width: 800px) {
  .leftcolumn, .rightcolumn {   
    width: 100%;
    padding: 0;
  }
}

@media screen and (max-width: 400px) {
  .topnav a {
    float: none;
    width: 100%;
  }
}

a:link {
  color: inherit;
}

a:visited {
  color: green;
}

a:hover {
  color: #green;
}

a:active {
  color: blue;
}

</style>
</head>
<body>

<div class="header">
  <h1>v                                                    x</h1>
  <p>Invisible Text. Fuck you.</p>
  
</div>

<div class="topnav">
  <a href="index.html">Home</a>
  <a href="archive.html">Archive</a>
  <a href="https://github.com/vxunderground/MalwareSourceCode/">Code</a>
  <a href="https://github.com/vxunderground/VX-Zines/">Zines</a>
  <a href="windows.html">Windows Papers</a>
  <a href="linux.html">Linux Papers</a>
  <a href="av.html">AV Tech Papers</a>
  <a href="other.html">Other Papers</a>
  <a href="threatintel.html">Threat Intel</a>
  <a href="samples.html">Malware Samples</a>
  <a href="apts.html">APT Collection</a>
</div>

<div class="row">
  <div class="leftcolumn">
  
    <div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 23rn, 2021</h5>
	 
	  Samples:<br>
	    <a href="https://samples.vx-underground.org/samples/Families/Log4J%20Malware/">Log4J Malware</a><br>
		<br>

	  APT Paper/Samples added:<br>
	    <a href="https://samples.vx-underground.org/APTs/2021/2021.12.03/">2021.12.03/TigerRAT</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.04/">2021.12.04/APT-C-23 aka Arid Viper: Cyber Espionage in the Palestine region</a><br>
	    <a href="https://samples.vx-underground.org/APTs/2021/2021.12.16/">2021.12.16/Lazarus: PseudoManuscrypt - a mass-scale spyware attack campaign</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.16(1)/">2021.12.16/New DarkHotel APT attack chain identified</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.16(2)/">2021.12.16/Avast finds Backdoor on US Government Commission Network</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.17/">2021.12.17/DSIRF: Uncovering the government spyware "Subzero"</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.17(1)/">2021.12.17/Serverless infostealer delivered in Eastern European countries</a><br>
		

    </div> 
  
  
  	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 21st, 2021</h5>
	  
	  Hello. We've made quite a bit of additions today. The entire vx-underground has been busy with the Holiday season B-S. Enjoy!<br><br>

	  Samples added:<br>
	    <a href="https://samples.vx-underground.org/samples/Families/AtomSilo/">AtomSilo</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/Babuk/">Babuk</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/BlackCatRansomware/">BlackCat Ransomware</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/CerberRansomware/">Cerber Ransomware</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/CollectorStealer/">CollectorStealer</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/Glupteba/">Glupteba</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/HelloKitty/">HelloKitty</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/MooBot/">Moo Bot</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/Phorpiex/">Phorpiex</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/PurpleFox/">PurpleFox</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/RansomExx">RansomEXX Ransomware</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/StealBit">Stealbit</a><br>
		

    </div> 
  
  	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 20th, 2021</h5>

	  Samples added:<br>
	    <a href="https://samples.vx-underground.org/samples/Families/HiveRansomware/">Hive Ransomware samples and decryptor</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/Log4J%20Malware/">Log4J Malware</a><br>

    </div> 
  
  	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 18th - 19th, 2021</h5>
	  
	  <p>As we continue to add more Log4J malware samples to our malware collection - we have been working in the background to expand our malware sample library. Unfortunately, we are working to re-index our samples and we are sitting at approx. 4,200,000 samples. Organized families will be published December, 20th 2021</p>

	  Recent Log4J samples added:<br>
	    <a href="https://samples.vx-underground.org/samples/Families/Log4J%20Malware/">Log4J Malware</a><br>

    </div> 
  
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 17th, 2021</h5>

	  Samples added:<br>
	    <a href="https://samples.vx-underground.org/samples/Families/Log4J%20Malware/">Log4J Malware</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/BlackCatRansomware/">BlackCat Ransomware</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/YanluowangRansomware/">Yanluowang Ransomware</a><br>

    </div> 
  
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 16th, 2021</h5>

	  Samples added:<br>
	    <a href="https://samples.vx-underground.org/samples/Families/Log4J%20Malware/">Log4J Malware</a><br>
	    <a href="https://samples.vx-underground.org/APTs/2021/2021.11.24/">2021.11.24/APT-38 / Lazarus; JPCERT: Anatomy of COBRA</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.07(1)/">2021.12.07/TeamTNT stealing credentials using EC2 Instance Metadata</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.08/">2021.12.08/A deep dive into the latest obfuscation methods being used by ShadowPad</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.13/">2021.12.13/APT-C-61: Malspam against Navy Pakistan </a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.13(1)/">2021.12.13/Kimsuky: malicious Excel documents targeting cryptocurrencies</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.14(1)/">2021.12.14/DarkWatchman: A new evolution in fileless techniques</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.14(2)/">2021.12.14/DoNot targeting Bangladesh with with an Android infostealer</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.15/">2021.12.15/CERT-FR: APT31 Intrusion set campaign: description, countermeasures and code</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.15(1)/">2021.12.15/NCSC: Jolly Jellyfish - Non-persistent downloader for shellcode embedded in image files</a><br>
    </div> 
  
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 15th, 2021</h5>

	  Samples added:<br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.11.10(2)/">2021.11.10/Void Balaur</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.06/">2021.12.06/Phishing Campaigns By The Nobelium Intrusion Set</a><br>
		<a href="https://samples.vx-underground.org/APTs/2021/2021.12.07/">2021.12.07/FIN13: A Cybercriminal Threat Actor Focused on Mexico</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/CubaRansomware/">Cuba Ransomware</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/DiavolRansomware/">Diavol Ransomware</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/Log4J%20Malware/">Log4J Malware</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/Owowa/">Owowa</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/QuantumRansomware/">Quantum Ransomware</a><br>
		<a href="https://samples.vx-underground.org/samples/Families/Tor2Mine/">Tor2Mine</a><br>
    </div> 
  
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 14th, 2021</h5>

	  *December 12th - December 14th have been aggregations of LOG4J-focused malware<br>
	  Samples added:<br>
		<a href="https://samples.vx-underground.org/samples/Families/Log4J%20Malware/">Malware Abusing Log4J Exploit</a><br>
    </div> 
  
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 12th, 2021</h5>

	  Papers added:<br>
		<a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/flaviu.io-My%20Methods%20To%20Achieve%20Persistence%20In%20Linux%20Systems.pdf">Methods To Achieve Persistence In Linux Systems</a> by <a href="https://twitter.com/flavsecurity">flaviu</a><br> 
		<a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/medium.com-Systemd%20user%20level%20persistence%20There%20are%20multiple%20ways%20to%20keep%20%20by%20Alexey%20Petrenko.pdf">Systemd user level persistence</a> by Alexey Petrenko<br>
    </div> 
  
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 8th, 2021</h5>

	  Papers added:<br>
	  <a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/ZipExec-main.zip">ZipExec - Using COM to execute password protected ZIP files</a> by <a href="https://twitter.com/Tyl0us">Tyl0us</a><br>
	  <a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/xllpoc-master.zip">XLLPOC - Code execution via Excel</a> by <a href="https://twitter.com/moo_hax">Moo Hax</a><br>
    </div> 
 
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 7th, 2021</h5>

	  APTs added:<br>
	  <a href="https://samples.vx-underground.org/APTs/2021/2021.12.02/">2021.12.02/SideCopy APT</a><br>
	  <a href="https://samples.vx-underground.org/APTs/2021/2021.12.03/">2021.12.03/TigerRAT</a><br>
      <a href="https://samples.vx-underground.org/APTs/2021/2021.11.07(1)/">2021.11.07/IronTiger APT Campaign</a><br>
	  <br>
	  Samples added:<br>
	  <a href="https://samples.vx-underground.org/samples/Families/Android.CleaningService/">Android.CleaningService</a><br>
    </div> 
 
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 6th, 2021</h5>

	  APTs added:<br>
	  <a href="https://samples.vx-underground.org/APTs/2021/2021.12.06/">2021.12.06/APT37 Using a New Android Spyware, Chinotto</a><br>
	  <a href="https://samples.vx-underground.org/APTs/2021/2021.11.30/">2021.11.30/EwDoor Botnet Is Attacking AT&T Customers</a><br>
	  <br>
	  Samples added:<br>
	  <a href="https://samples.vx-underground.org/samples/Families/Android.Psiphone/">Android.Psiphone</a><br>
	  <a href="https://samples.vx-underground.org/samples/Families/CobaltStrike/">CobaltStrike</a><br>
	  <a href="https://samples.vx-underground.org/samples/Families/BlackByte/">BlackByte</a><br>
    </div> 
  
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 3rd, 2021</h5>

	  APTs added:<br>
	  <a href="https://samples.vx-underground.org/APTs/2021/2021.11.29(1)/">2021.11.29/ScarCruft surveilling North Korean defectors and human rights activists</a><br>
	  <a href="https://samples.vx-underground.org/APTs/2021/2021.12.01/">2021.12.01/Injection is the New Black: Novel RTF Template Inject</a><br>
	  <a href="https://samples.vx-underground.org/APTs/2021/2021.12.01(1)/">2021.12.01/Tracking a P2P network related to TA505</a><br>
	  <a href="https://samples.vx-underground.org/APTs/2021/2021.12.01(2)/">2021.12.01/Jumping the Air Gap: 15 years of Nation-state effort</a><br>
	  <br>
	  Samples added:<br>
	  <a href="https://samples.vx-underground.org/samples/Families/LockerGoga/">LockerGoga</a><br>
    </div> 
  
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 2nd, 2021</h5>

	  Linux papers added:<br>
	  <a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/acsac20_cozzi.pdf">The Tangled Genealogy of IoT Malware</a> by Emanuele Cozzi, Pierre-Antoine Vervier, Matteo Dell’Amico, Yun Shen, Leyla Bilge, Davide Balzarotti<br>
	  <a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/iot_mobisys19.pdf">Understanding Fileless Attacks on Linux-based IoT Devices with HoneyCloud</a> by Fan Dang, Zhenhua Li, Yunhao Liu, Ennan Zhai, Qi Alfred Chen, Tianyin Xu, Yan Chen, Jingyu Yang<br>
	  <a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/kerneldata.pdf">Kernel Data Attack is a Realistic Security Threat</a> by Jidong Xiao, Hai Huang, Haining Wang<br><br>
	  Windows papers added:<br>
	  <a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf">Anatomy Of Native IIS Malware</a> by ESET<br>
	  <a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/billdemirkapi.me-Abusing_Windows_Implementation_of_Fork_for_Stealthy_Memory_Operations.pdf">Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations</a> by <a href="https://twitter.com/BillDemirkapi">Bill Demirkapi</a><br>
	  
	 
    </div> 
	
	
	
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>December 1st, 2021</h5>

	  New malware samples added:<br>
	  <a href="https://samples.vx-underground.org/samples/Families/BotenaGo/">BotenaGo samples</a><br>
	  <a href="https://samples.vx-underground.org/samples/Families/Emotet/">Emotet samples</a><br><br>
	  APT additions:<br>
	  <a href="https://samples.vx-underground.org/APTs/2021/2021.11.23/">2021.11.23/Android APT spyware, targeting Middle East victims, enhances evasiveness</a><br>
	  <a href="https://samples.vx-underground.org/APTs/2021/2021.11.25/">2021.11.25/A Deep Dive Into SoWaT: APT31’s Multifunctional Router Implant</a><br>
	  <a href="https://samples.vx-underground.org/APTs/2021/2021.11.29/">2021.11.29/WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019</a><br>
	  
	 
    </div> 
  
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>November 29th, 2021</h5>

	  New malware samples added:<br>
	  <a href="https://samples.vx-underground.org/APTs/2021/2021.11.22/">APT Tardigrade</a><br>
	  <a href="https://samples.vx-underground.org/samples/Families/Cronrat/">Cronrat samples</a><br>
	  <a href="https://samples.vx-underground.org/samples/Families/RatDispenser/">RatDispenser samples</a><br>
	  <a href="https://samples.vx-underground.org/samples/Families/Android.Cynos/">Android.Cynos samples</a><br>
	  <a href="https://samples.vx-underground.org/samples/Families/Babadeda/">Babadeda Crypter samples</a><br>
	 
    </div> 
  
	<div class="card">
      <h2>vx-underground.org update</h2>
      <h5>November 28th, 2021</h5>
	
	  Malware samples added:<br>
	  <a href="https://samples.vx-underground.org/samples/Families/MacOS.Macma/">MacOS.Macma samples added</a><br>
	  <a href="https://samples.vx-underground.org/samples/Families/MosesStaff/">Moses Staff samples added</a><br>
	  <a href="https://samples.vx-underground.org/samples/Families/Emotet/">Emotet samples added</a><br><br>
	  APT additions:<br>
	  <a href="https://papers.vx-underground.org/archive/APTs/2021/2021.11.18/">2021.11.18 - NK TA APT samples added + paper</a><br><br>
	  Threat Intelligence materials added:<br>
	  <a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/Conti_Ransomware_Group_In-Depth_Analysis.pdf">Conti Ransomware Group analysis paper added</a><br>
	  <a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/content_dam_blackberry-com_asset_enterprise_pdf_direct_bb-ebook-finding-beacons-in-the-dark.pdf">Finding Beacons in the Dark: A Guide to Cyber Threat Intelligence by BlackBerry added</a><br>
    </div> 
  
     <div class="card">
      <h2>vx-underground.org update</h2>
      <h5>November 27th, 2021</h5>
	  
	  General Updates:<br>
	  Notes from UG tab has been renamed to Threat Intel. This is best describes this category and material that will be present<br>
	  Darkweb site table added<br><br>
	  Malware Defense Updates:<br>
	  <a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/sec21-avllazagaj.pdf">When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World</a><br>
	  <a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/ERNW-Whitepaper-71_AV_Quarantine_signed.pdf">Analysis Of Anti-virus Software Quarantine Files</a><br><br>
	  Threat Intelligence Updates:<br>
	  <a href="https://papers.vx-underground.org/papers/VXUG/Mirrors/BassterlordNetworkingManual.pdf">Bassterlord Networking Manual</a><br>
    </div> 
  
    <div class="card">
      <h2>vx-underground.org update</h2>
      <h5>November 26th, 2021</h5>

      <p>Hello and welcome to vx-underground.org 2.0. Our site has made a large aesthetic update. Historically our website utilized ASCII art and other more hackerish aesthetics. Although this is nice - it proved to be increasingly difficult to add, remove, or organize content.</p>
	  <p>The new aesthetic we're using is also fairly generic. It is nothing special. It does not contain large amounts of images, CSS, or javascript. It is still HTML and basic CSS. We hope the website can be easily navigable and easy on the eyes.</p>
	  <p>Special thanks to our donors, twitter supporters, and everyone else who has continued to support us as we traverse these volatile waters</p>
	  <p>Sincerely,<br>The vx-underground team</p>
    </div> 
  </div>
  
  
  <div class="rightcolumn">
    <div class="card">
      <h2>Other VXUG Links</h2>
      <p><a href="https://twitter.com/vxunderground">Official vx-underground Twitter</a></p>
	  <p><a href="/cdn-cgi/l/email-protection#f7818f8290b799829b9bd9999283">Contact & Compliance Email</a></p>
	  <p><a href="https://discord.com/invite/3mxXqnD78a">Official vx-underground Discord</a></p>
	  <p><a href="https://donorbox.org/vx-underground-2021">Donate to vx-underground</a></p>
	  <p><a href="https://transi.store/">Buy vx-underground Merchandise</a></p>
    </div>
    <div class="card">
      <h3>Want to sponsor vx-underground?</h3>
      <p>Your information could go here<p>
    </div>
  </div>
</div>



<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>


